lockbot 2.3.2__tar.gz → 2.4.0__tar.gz

{lockbot-2.3.2/python/lockbot.egg-info → lockbot-2.4.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: lockbot
-Version: 2.3.2
+Version: 2.4.0
 Summary: Cluster resource management bot for IM platforms
 Author-email: Jianbang Yang <yangjianbang112@gmail.com>
 License: MIT
@@ -33,6 +33,7 @@ Requires-Dist: cryptography
 Requires-Dist: bcrypt
 Requires-Dist: python-multipart
 Requires-Dist: httpx
+Requires-Dist: slowapi
 Provides-Extra: dev
 Requires-Dist: pytest>=7.0; extra == "dev"
 Requires-Dist: ruff>=0.1.0; extra == "dev"

{lockbot-2.3.2 → lockbot-2.4.0}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "lockbot"
-version = "2.3.2"
+version = "2.4.0"
 description = "Cluster resource management bot for IM platforms"
 readme = "README.md"
 license = {text = "MIT"}
@@ -41,6 +41,7 @@ dependencies = [
     "bcrypt",
     "python-multipart",
     "httpx",
+    "slowapi",
 ]
 
 [project.optional-dependencies]

{lockbot-2.3.2 → lockbot-2.4.0}/python/lockbot/backend/app/admin/router.py

@@ -11,11 +11,12 @@ import tempfile
 import zipfile
 from datetime import datetime
 
-from fastapi import APIRouter, Depends, HTTPException
+from fastapi import APIRouter, Depends, HTTPException, Request
 from fastapi.responses import FileResponse, Response
 from sqlalchemy.orm import Session
 from starlette.background import BackgroundTask
 
+from lockbot.backend.app.audit.service import write_audit_log
 from lockbot.backend.app.auth.dependencies import (
     can_assign_role,
     can_create_user_with_role,
@@ -40,6 +41,7 @@ router = APIRouter(prefix="/api/admin", tags=["admin"])
 
 @router.post("/users", response_model=PasswordResetOut, status_code=201)
 def admin_create_user(
+    request: Request,
     body: AdminCreateUser,
     operator: User = Depends(require_admin),
     db: Session = Depends(get_db),
@@ -67,6 +69,17 @@ def admin_create_user(
         must_change_password=True,
     )
     db.add(user)
+    db.flush()
+    write_audit_log(
+        db,
+        operator,
+        "user.create",
+        target_type="user",
+        target_id=user.id,
+        target_name=user.username,
+        detail={"role": body.role},
+        ip=request.client.host if request.client else None,
+    )
     db.commit()
     db.refresh(user)
     return PasswordResetOut(id=user.id, username=user.username, new_password=raw_password)
@@ -108,6 +121,7 @@ def list_users(
 def admin_edit_user(
     user_id: int,
     body: AdminEditUser,
+    request: Request,
     operator: User = Depends(require_admin),
     db: Session = Depends(get_db),
 ):
@@ -120,16 +134,19 @@ def admin_edit_user(
     if not can_manage_user(operator, target.role):
         raise HTTPException(status_code=403, detail="Cannot manage this user")
 
+    changes: dict = {}
     if body.username is not None and body.username != target.username:
         dup = db.query(User).filter(User.username == body.username).first()
         if dup:
             raise HTTPException(status_code=409, detail="Username already taken")
+        changes["username"] = {"old": target.username, "new": body.username}
         target.username = body.username
 
     if body.email is not None and body.email != target.email:
         dup = db.query(User).filter(User.email == body.email).first()
         if dup:
             raise HTTPException(status_code=409, detail="Email already taken")
+        changes["email"] = {"old": target.email, "new": body.email}
         target.email = body.email
 
     if body.role is not None:
@@ -139,12 +156,24 @@ def admin_edit_user(
             raise HTTPException(status_code=status_code, detail=error_msg)
         # Force logout when role changes
         if target.role != body.role:
+            changes["role"] = {"old": target.role, "new": body.role}
             target.token_version = target.effective_token_version + 1
         target.role = body.role
 
     if body.max_running_bots is not None:
+        changes["max_running_bots"] = {"old": target.max_running_bots, "new": body.max_running_bots}
         target.max_running_bots = body.max_running_bots
 
+    write_audit_log(
+        db,
+        operator,
+        "user.edit",
+        target_type="user",
+        target_id=target.id,
+        target_name=target.username,
+        detail=changes,
+        ip=request.client.host if request.client else None,
+    )
     db.commit()
     db.refresh(target)
     return target
@@ -154,6 +183,7 @@ def admin_edit_user(
 def set_max_bots(
     user_id: int,
     body: dict,
+    request: Request,
     operator: User = Depends(require_admin),
     db: Session = Depends(get_db),
 ):
@@ -162,7 +192,18 @@ def set_max_bots(
         raise HTTPException(status_code=404, detail="User not found")
     if not can_manage_user(operator, user.role):
         raise HTTPException(status_code=403, detail="Cannot manage this user")
+    old_val = user.max_running_bots
     user.max_running_bots = body["max_running_bots"]
+    write_audit_log(
+        db,
+        operator,
+        "user.set_max_bots",
+        target_type="user",
+        target_id=user.id,
+        target_name=user.username,
+        detail={"old": old_val, "new": user.max_running_bots},
+        ip=request.client.host if request.client else None,
+    )
     db.commit()
     db.refresh(user)
     return {"id": user.id, "max_running_bots": user.max_running_bots}
@@ -171,6 +212,7 @@ def set_max_bots(
 @router.post("/users/{user_id}/reset-password", response_model=PasswordResetOut)
 def admin_reset_password(
     user_id: int,
+    request: Request,
     operator: User = Depends(require_admin),
     db: Session = Depends(get_db),
 ):
@@ -185,6 +227,15 @@ def admin_reset_password(
     target.must_change_password = True
     # Force logout - invalidate all existing tokens
     target.token_version = target.effective_token_version + 1
+    write_audit_log(
+        db,
+        operator,
+        "user.reset_password",
+        target_type="user",
+        target_id=target.id,
+        target_name=target.username,
+        ip=request.client.host if request.client else None,
+    )
     db.commit()
     db.refresh(target)
     return PasswordResetOut(id=target.id, username=target.username, new_password=raw_password)
@@ -193,6 +244,7 @@ def admin_reset_password(
 @router.post("/users/{user_id}/force-logout")
 def force_logout_user(
     user_id: int,
+    request: Request,
     operator: User = Depends(require_admin),
     db: Session = Depends(get_db),
 ):
@@ -203,6 +255,15 @@ def force_logout_user(
     if not can_manage_user(operator, target.role):
         raise HTTPException(status_code=403, detail="Cannot manage this user")
     target.token_version = target.effective_token_version + 1
+    write_audit_log(
+        db,
+        operator,
+        "user.force_logout",
+        target_type="user",
+        target_id=target.id,
+        target_name=target.username,
+        ip=request.client.host if request.client else None,
+    )
     db.commit()
     return {"id": target.id, "username": target.username, "message": "User logged out successfully"}
 
@@ -235,7 +296,9 @@ def platform_stats(
 
 @router.get("/backup")
 def download_backup(
+    request: Request,
     _admin: User = Depends(require_super_admin),
+    db: Session = Depends(get_db),
 ):
     """Download full SQLite database backup (super_admin only)."""
     from lockbot.backend.app.config import DATABASE_URL
@@ -258,6 +321,9 @@ def download_backup(
             os.unlink(tmp_path)
         raise
 
+    write_audit_log(db, _admin, "admin.backup", ip=request.client.host if request.client else None)
+    db.commit()
+
     filename = f"lockbot_backup_{datetime.now().strftime('%Y%m%d_%H%M%S')}.db"
     return FileResponse(
         path=tmp_path,
@@ -272,6 +338,7 @@ _DEFAULT_DATA_DIR = os.environ.get("DATA_DIR", "/data")
 
 @router.get("/bot-states")
 def download_all_bot_states(
+    request: Request,
     _admin: User = Depends(require_super_admin),
     db: Session = Depends(get_db),
 ):
@@ -299,6 +366,9 @@ def download_all_bot_states(
     buf.seek(0)
     content = buf.read()
 
+    write_audit_log(db, _admin, "admin.bot_states", ip=request.client.host if request.client else None)
+    db.commit()
+
     filename = f"lockbot_states_{datetime.now().strftime('%Y%m%d_%H%M%S')}.zip"
     return Response(
         content=content,

lockbot-2.4.0/python/lockbot/backend/app/audit/models.py

@@ -0,0 +1,37 @@
+"""
+AuditLog model — records who did what, when, and to which resource.
+"""
+
+from datetime import datetime
+
+from sqlalchemy import DateTime, Integer, String, Text, func
+from sqlalchemy.orm import Mapped, mapped_column
+
+from lockbot.backend.app.database import Base
+
+
+class AuditLog(Base):
+    __tablename__ = "audit_logs"
+
+    id: Mapped[int] = mapped_column(Integer, primary_key=True, autoincrement=True)
+
+    # Operator info (denormalized so records survive user deletion)
+    operator_id: Mapped[int | None] = mapped_column(Integer, nullable=True)
+    operator_username: Mapped[str] = mapped_column(String(64), nullable=False)
+    operator_role: Mapped[str] = mapped_column(String(16), nullable=False)
+
+    # Action: namespace.verb, e.g. "auth.login", "bot.start", "user.create"
+    action: Mapped[str] = mapped_column(String(64), nullable=False, index=True)
+
+    # Target resource (optional)
+    target_type: Mapped[str | None] = mapped_column(String(16), nullable=True)  # "user" | "bot"
+    target_id: Mapped[int | None] = mapped_column(Integer, nullable=True)
+    target_name: Mapped[str | None] = mapped_column(String(128), nullable=True)  # denormalized
+
+    # Extra context (JSON string)
+    detail: Mapped[str | None] = mapped_column(Text, nullable=True)
+
+    ip_address: Mapped[str | None] = mapped_column(String(64), nullable=True)
+    result: Mapped[str] = mapped_column(String(16), nullable=False, default="success")  # success | failure
+
+    created_at: Mapped[datetime] = mapped_column(DateTime, server_default=func.now(), index=True)

lockbot-2.4.0/python/lockbot/backend/app/audit/router.py

@@ -0,0 +1,141 @@
+"""
+Audit log query API.
+
+Visibility rules:
+  - super_admin : sees ALL records
+  - admin       : sees records where operator_id is in the set of
+                  {own id} ∪ {ids of users with role="user"}
+                  (admins cannot see each other's actions)
+  - user        : sees own records (operator_id == self) PLUS anonymous
+                  failed-login attempts where operator_username == self
+                  (so users can detect brute-force attempts on their account)
+"""
+
+import json
+from datetime import datetime
+from typing import Any
+
+from fastapi import APIRouter, Depends, Query
+from pydantic import BaseModel
+from sqlalchemy import and_, or_
+from sqlalchemy.orm import Session
+
+from lockbot.backend.app.audit.models import AuditLog
+from lockbot.backend.app.auth.dependencies import get_current_user
+from lockbot.backend.app.auth.models import User
+from lockbot.backend.app.database import get_db
+
+router = APIRouter(prefix="/api/audit", tags=["audit"])
+
+
+class AuditLogOut(BaseModel):
+    id: int
+    operator_id: int | None
+    operator_username: str
+    operator_role: str
+    action: str
+    target_type: str | None
+    target_id: int | None
+    target_name: str | None
+    detail: Any | None  # parsed JSON or raw string
+    ip_address: str | None
+    result: str
+    created_at: datetime
+
+    model_config = {"from_attributes": True}
+
+
+class AuditLogsPage(BaseModel):
+    total: int
+    items: list[AuditLogOut]
+
+
+def _parse_detail(raw: str | None) -> Any:
+    if raw is None:
+        return None
+    try:
+        return json.loads(raw)
+    except Exception:
+        return raw
+
+
+def _to_out(log: AuditLog) -> AuditLogOut:
+    return AuditLogOut(
+        id=log.id,
+        operator_id=log.operator_id,
+        operator_username=log.operator_username,
+        operator_role=log.operator_role,
+        action=log.action,
+        target_type=log.target_type,
+        target_id=log.target_id,
+        target_name=log.target_name,
+        detail=_parse_detail(log.detail),
+        ip_address=log.ip_address,
+        result=log.result,
+        created_at=log.created_at,
+    )
+
+
+@router.get("/logs", response_model=AuditLogsPage)
+def list_audit_logs(
+    # Filters
+    action: str | None = Query(None, description="Filter by action, e.g. 'bot.start'"),
+    operator_id: int | None = Query(None),
+    operator_username: str | None = Query(None, description="Filter by operator username (partial match)"),
+    target_type: str | None = Query(None),
+    target_id: int | None = Query(None),
+    result: str | None = Query(None, description="'success' or 'failure'"),
+    start_date: datetime | None = Query(None),
+    end_date: datetime | None = Query(None),
+    # Pagination
+    page: int = Query(1, ge=1),
+    limit: int = Query(50, ge=1, le=200),
+    # Auth
+    operator: User = Depends(get_current_user),
+    db: Session = Depends(get_db),
+):
+    q = db.query(AuditLog)
+
+    # --- Visibility scope ---
+    if operator.role == "user":
+        # Own authenticated actions + anonymous failed-login attempts targeting this account
+        q = q.filter(
+            or_(
+                AuditLog.operator_id == operator.id,
+                and_(
+                    AuditLog.operator_id.is_(None),
+                    AuditLog.operator_username == operator.username,
+                    AuditLog.action == "auth.login",
+                    AuditLog.result == "failure",
+                ),
+            )
+        )
+    elif operator.role != "super_admin":
+        # admin: own actions + actions of users they manage (role="user")
+        # Also include anonymous records (operator_id IS NULL, e.g. failed logins)
+        managed_ids = [u.id for u in db.query(User.id).filter(User.role == "user").all()]
+        visible_ids = list({operator.id, *managed_ids})
+        q = q.filter(or_(AuditLog.operator_id.in_(visible_ids), AuditLog.operator_id.is_(None)))
+
+    # --- Filters ---
+    if action:
+        q = q.filter(AuditLog.action == action)
+    if operator_id is not None:
+        q = q.filter(AuditLog.operator_id == operator_id)
+    if operator_username:
+        q = q.filter(AuditLog.operator_username.ilike(f"%{operator_username}%"))
+    if target_type:
+        q = q.filter(AuditLog.target_type == target_type)
+    if target_id is not None:
+        q = q.filter(AuditLog.target_id == target_id)
+    if result:
+        q = q.filter(AuditLog.result == result)
+    if start_date:
+        q = q.filter(AuditLog.created_at >= start_date)
+    if end_date:
+        q = q.filter(AuditLog.created_at <= end_date)
+
+    total = q.count()
+    items = q.order_by(AuditLog.created_at.desc()).offset((page - 1) * limit).limit(limit).all()
+
+    return AuditLogsPage(total=total, items=[_to_out(i) for i in items])

lockbot-2.4.0/python/lockbot/backend/app/audit/service.py

@@ -0,0 +1,72 @@
+"""
+Audit log service — write_audit_log() helper.
+
+Failures are logged as warnings and never propagate to the caller,
+so audit recording never breaks the main business flow.
+"""
+
+import json
+import logging
+from types import SimpleNamespace
+from typing import Any
+
+from sqlalchemy.orm import Session
+
+from lockbot.backend.app.audit.models import AuditLog
+
+logger = logging.getLogger(__name__)
+
+
+def _anon_operator(username: str, role: str = "unknown") -> Any:
+    """Build a lightweight non-ORM operator for anonymous/failed operations."""
+    return SimpleNamespace(id=None, username=username, role=role)
+
+
+def write_audit_log(
+    db: Session,
+    operator: Any,
+    action: str,
+    *,
+    target_type: str | None = None,
+    target_id: int | None = None,
+    target_name: str | None = None,
+    detail: dict | str | None = None,
+    ip: str | None = None,
+    result: str = "success",
+) -> None:
+    """
+    Write one audit log entry.
+
+    :param db:           SQLAlchemy session (already open, caller commits).
+    :param operator:     Object with .id, .username, .role  (User ORM or SimpleNamespace).
+    :param action:       Dot-namespaced verb, e.g. "auth.login", "bot.start", "user.create".
+    :param target_type:  Optional resource type: "user" | "bot".
+    :param target_id:    Optional resource primary key.
+    :param target_name:  Optional denormalized resource name.
+    :param detail:       Optional dict or JSON string with extra context.
+    :param ip:           Client IP address (from request.client.host).
+    :param result:       "success" (default) or "failure".
+    """
+    try:
+        detail_str: str | None = None
+        if isinstance(detail, dict):
+            detail_str = json.dumps(detail, ensure_ascii=False)
+        elif isinstance(detail, str):
+            detail_str = detail
+
+        log = AuditLog(
+            operator_id=operator.id,
+            operator_username=operator.username,
+            operator_role=operator.role,
+            action=action,
+            target_type=target_type,
+            target_id=target_id,
+            target_name=target_name,
+            detail=detail_str,
+            ip_address=ip,
+            result=result,
+        )
+        db.add(log)
+        db.flush()  # Write within the same transaction as the main operation
+    except Exception:
+        logger.warning("Failed to write audit log for action=%s operator=%s", action, operator.username, exc_info=True)

{lockbot-2.3.2 → lockbot-2.4.0}/python/lockbot/backend/app/auth/dependencies.py

@@ -85,9 +85,17 @@ def can_assign_role(operator: User, target: User, new_role: str) -> tuple[bool,
 
     Returns (allowed, http_status_code, error_message).
     This consolidates all role assignment permission checks in one place.
+
+    NOTE: super_admin can only be created/promoted via CLI tool (create_super_admin),
+    not through the web API, to prevent permission escalation and ensure a single
+    source of truth for the highest privilege level.
     """
+    # super_admin cannot be assigned via API
+    if new_role == "super_admin":
+        return False, 403, "Super admin can only be managed via CLI tool"
+
     # Validate role
-    valid_roles = ("super_admin", "admin", "user")
+    valid_roles = ("admin", "user")
     if new_role not in valid_roles:
         return False, 400, f"Invalid role, must be one of {valid_roles}"
 
@@ -95,8 +103,8 @@ def can_assign_role(operator: User, target: User, new_role: str) -> tuple[bool,
     if not can_manage_user(operator, target.role):
         return False, 403, "Cannot manage this user"
 
-    # Only super_admin can assign admin or super_admin role
-    if new_role in ("admin", "super_admin") and operator.role != "super_admin":
+    # Only super_admin can assign admin role
+    if new_role == "admin" and operator.role != "super_admin":
         return False, 403, "Only super admin can assign this role"
 
     return True, 200, ""

{lockbot-2.3.2 → lockbot-2.4.0}/python/lockbot/backend/app/auth/router.py

@@ -6,11 +6,12 @@ import secrets
 import string
 
 import bcrypt as _bcrypt
-from fastapi import APIRouter, Depends, HTTPException, status
+from fastapi import APIRouter, Depends, HTTPException, Request, status
 from sqlalchemy import or_
 from sqlalchemy.orm import Session
 
 import lockbot.backend.app.config as _config
+from lockbot.backend.app.audit.service import _anon_operator, write_audit_log
 from lockbot.backend.app.auth.dependencies import create_access_token, get_current_user
 from lockbot.backend.app.auth.models import User
 from lockbot.backend.app.auth.schemas import (
@@ -23,6 +24,7 @@ from lockbot.backend.app.auth.schemas import (
     UserRegister,
 )
 from lockbot.backend.app.database import get_db
+from lockbot.backend.app.rate_limit import limiter
 
 router = APIRouter(prefix="/api/auth", tags=["auth"])
 
@@ -50,7 +52,8 @@ def _generate_password(length: int = 12) -> str:
 
 
 @router.post("/register", response_model=UserOut, status_code=status.HTTP_201_CREATED)
-def register(body: UserRegister, db: Session = Depends(get_db)):
+@limiter.limit("5/minute")
+def register(request: Request, body: UserRegister, db: Session = Depends(get_db)):
     if not _config.ALLOW_REGISTER:
         raise HTTPException(status_code=403, detail="Registration is disabled. Contact admin.")
 
@@ -70,10 +73,24 @@ def register(body: UserRegister, db: Session = Depends(get_db)):
 
 
 @router.post("/login", response_model=TokenOut)
-def login(body: UserLogin, db: Session = Depends(get_db)):
+@limiter.limit("10/minute")
+def login(request: Request, body: UserLogin, db: Session = Depends(get_db)):
+    ip = request.client.host if request.client else None
     user = db.query(User).filter(User.username == body.username).first()
     if not user or not _verify_password(body.password, user.password_hash):
+        write_audit_log(
+            db,
+            _anon_operator(body.username),
+            "auth.login",
+            ip=ip,
+            result="failure",
+            detail={"reason": "invalid credentials"},
+        )
+        db.commit()
         raise HTTPException(status_code=401, detail="Invalid credentials")
+
+    write_audit_log(db, user, "auth.login", ip=ip)
+    db.commit()
     return TokenOut(
         access_token=create_access_token(user.id, user.effective_token_version, user.must_change_password),
         must_change_password=user.must_change_password,
@@ -87,6 +104,7 @@ def me(user: User = Depends(get_current_user)):
 
 @router.put("/change-password", response_model=TokenOut)
 def change_password(
+    request: Request,
     body: ChangePassword,
     user: User = Depends(get_current_user),
     db: Session = Depends(get_db),
@@ -97,6 +115,7 @@ def change_password(
         raise HTTPException(status_code=400, detail="Password must be at least 6 characters")
     user.password_hash = _hash_password(body.new_password)
     user.must_change_password = False
+    write_audit_log(db, user, "auth.change_password", ip=request.client.host if request.client else None)
     db.commit()
     return TokenOut(
         access_token=create_access_token(user.id, user.effective_token_version, False),
@@ -106,6 +125,7 @@ def change_password(
 
 @router.put("/force-change-password", response_model=TokenOut)
 def force_change_password(
+    request: Request,
     body: ForceChangePassword,
     user: User = Depends(get_current_user),
     db: Session = Depends(get_db),
@@ -118,6 +138,13 @@ def force_change_password(
         raise HTTPException(status_code=400, detail="Password must be at least 6 characters")
     user.password_hash = _hash_password(body.new_password)
     user.must_change_password = False
+    write_audit_log(
+        db,
+        user,
+        "auth.change_password",
+        ip=request.client.host if request.client else None,
+        detail={"type": "force_change"},
+    )
     db.commit()
     return TokenOut(
         access_token=create_access_token(user.id, user.effective_token_version, False),
@@ -127,6 +154,7 @@ def force_change_password(
 
 @router.put("/change-email", response_model=UserOut)
 def change_email(
+    request: Request,
     body: ChangeEmail,
     user: User = Depends(get_current_user),
     db: Session = Depends(get_db),
@@ -134,7 +162,15 @@ def change_email(
     exists = db.query(User).filter(User.email == body.new_email).filter(User.id != user.id).first()
     if exists:
         raise HTTPException(status_code=409, detail="Email already taken")
+    old_email = user.email
     user.email = body.new_email
+    write_audit_log(
+        db,
+        user,
+        "auth.change_email",
+        ip=request.client.host if request.client else None,
+        detail={"old_email": old_email, "new_email": body.new_email},
+    )
     db.commit()
     db.refresh(user)
     return user

{lockbot-2.3.2 → lockbot-2.4.0}/python/lockbot/backend/app/bots/router.py

@@ -15,6 +15,7 @@ from fastapi import APIRouter, Depends, HTTPException, Request, status
 from fastapi.responses import PlainTextResponse
 from sqlalchemy.orm import Session
 
+from lockbot.backend.app.audit.service import write_audit_log
 from lockbot.backend.app.auth.dependencies import get_current_user, require_admin, require_super_admin
 from lockbot.backend.app.auth.models import User
 from lockbot.backend.app.bots import encryption
@@ -23,6 +24,7 @@ from lockbot.backend.app.bots.models import Bot
 from lockbot.backend.app.bots.schemas import BotCreate, BotDetail, BotOut, BotStatusOut, BotUpdate
 from lockbot.backend.app.bots.webhook_handler import handle_webhook
 from lockbot.backend.app.database import get_db
+from lockbot.backend.app.rate_limit import limiter
 from lockbot.core.config import Config
 from lockbot.core.i18n import t
 from lockbot.core.msg_utils import check_signature
@@ -172,6 +174,7 @@ def list_bots(
 
 @router.post("", response_model=BotOut, status_code=status.HTTP_201_CREATED)
 def create_bot(
+    request: Request,
     body: BotCreate,
     user: User = Depends(get_current_user),
     db: Session = Depends(get_db),
@@ -204,6 +207,17 @@ def create_bot(
         config_overrides=json.dumps(body.config_overrides or {}, ensure_ascii=False),
     )
     db.add(bot)
+    db.flush()
+    write_audit_log(
+        db,
+        user,
+        "bot.create",
+        target_type="bot",
+        target_id=bot.id,
+        target_name=bot.name,
+        detail={"bot_type": bot.bot_type, "platform": bot.platform},
+        ip=request.client.host if request.client else None,
+    )
     db.commit()
     db.refresh(bot)
 
@@ -287,6 +301,7 @@ def get_bot(
 @router.put("/{bot_id}", response_model=BotOut)
 def update_bot(
     bot_id: int,
+    request: Request,
     body: BotUpdate,
     user: User = Depends(get_current_user),
     db: Session = Depends(get_db),
@@ -300,6 +315,7 @@ def update_bot(
     if bot.status == "running":
         raise HTTPException(status_code=409, detail="Cannot update a running bot. Stop it first.")
 
+    changes = {}
     if body.name is not None:
         # Check for duplicate name (excluding current bot and deleted bots)
         dup = (
@@ -314,20 +330,36 @@ def update_bot(
         )
         if dup:
             raise HTTPException(status_code=409, detail="Bot name already exists")
+        changes["name"] = [bot.name, body.name]
         bot.name = body.name
     if body.group_id is not None:
         bot.group_id = body.group_id
     if body.webhook_url is not None:
+        changes["webhook_url"] = True
         bot.webhook_url = encryption.encrypt(body.webhook_url)
     if body.aes_key is not None:
+        changes["aes_key"] = True
         bot.aes_key = encryption.encrypt(body.aes_key)
     if body.token is not None:
+        changes["token"] = True
         bot.token = encryption.encrypt(body.token)
     if body.cluster_configs is not None:
+        changes["cluster_configs"] = True
         bot.cluster_configs = json.dumps(body.cluster_configs, ensure_ascii=False)
     if body.config_overrides is not None:
+        changes["config_overrides"] = True
         bot.config_overrides = json.dumps(body.config_overrides, ensure_ascii=False)
 
+    write_audit_log(
+        db,
+        user,
+        "bot.update",
+        target_type="bot",
+        target_id=bot_id,
+        target_name=bot.name,
+        detail={"changed": list(changes.keys())},
+        ip=request.client.host if request.client else None,
+    )
     db.commit()
     db.refresh(bot)
     return bot
@@ -336,6 +368,7 @@ def update_bot(
 @router.delete("/{bot_id}", status_code=status.HTTP_204_NO_CONTENT)
 def delete_bot(
     bot_id: int,
+    request: Request,
     user: User = Depends(get_current_user),
     db: Session = Depends(get_db),
 ):
@@ -352,8 +385,18 @@ def delete_bot(
         bot.status = "stopped"
         bot.pid = None
 
+    bot_name = bot.name
     bot.is_deleted = True
     bot.deleted_at = datetime.utcnow()
+    write_audit_log(
+        db,
+        user,
+        "bot.delete",
+        target_type="bot",
+        target_id=bot_id,
+        target_name=bot_name,
+        ip=request.client.host if request.client else None,
+    )
     db.commit()
 
 
@@ -361,6 +404,7 @@ def delete_bot(
 def transfer_bot_owner(
     bot_id: int,
     body: dict,
+    request: Request,
     user: User = Depends(require_super_admin),
     db: Session = Depends(get_db),
 ):
@@ -380,6 +424,16 @@ def transfer_bot_owner(
     old_owner = db.get(User, bot.user_id)
     old_name = old_owner.username if old_owner else "unknown"
     bot.user_id = target_user.id
+    write_audit_log(
+        db,
+        user,
+        "bot.transfer",
+        target_type="bot",
+        target_id=bot_id,
+        target_name=bot.name,
+        detail={"from": old_name, "to": target_username},
+        ip=request.client.host if request.client else None,
+    )
     db.commit()
 
     _write_log(bot_id, f"Owner transferred from {old_name} to {target_username} by {user.username}")
@@ -393,7 +447,9 @@ MAX_CONSECUTIVE_FAILURES = 3
 
 
 @router.post("/{bot_id}/start", response_model=BotStatusOut)
+@limiter.limit("10/minute")
 def start_bot(
+    request: Request,
     bot_id: int,
     user: User = Depends(get_current_user),
     db: Session = Depends(get_db),
@@ -451,6 +507,15 @@ def start_bot(
     bot.status = "running"
     bot.pid = pid
     bot.consecutive_failures = 0
+    write_audit_log(
+        db,
+        user,
+        "bot.start",
+        target_type="bot",
+        target_id=bot_id,
+        target_name=bot.name,
+        ip=request.client.host if request.client else None,
+    )
     db.commit()
     db.refresh(bot)
     _write_log(bot_id, "Bot 已启动")
@@ -459,7 +524,9 @@ def start_bot(
 
 
 @router.post("/{bot_id}/stop", response_model=BotStatusOut)
+@limiter.limit("10/minute")
 def stop_bot(
+    request: Request,
     bot_id: int,
     user: User = Depends(get_current_user),
     db: Session = Depends(get_db),
@@ -479,6 +546,15 @@ def stop_bot(
     bot.status = "stopped"
     bot.pid = None
     bot.consecutive_failures = 0
+    write_audit_log(
+        db,
+        user,
+        "bot.stop",
+        target_type="bot",
+        target_id=bot_id,
+        target_name=bot.name,
+        ip=request.client.host if request.client else None,
+    )
     db.commit()
     _write_log(bot_id, "Bot 已停止")
 
@@ -486,7 +562,9 @@ def stop_bot(
 
 
 @router.post("/{bot_id}/restart", response_model=BotStatusOut)
+@limiter.limit("10/minute")
 def restart_bot(
+    request: Request,
     bot_id: int,
     user: User = Depends(get_current_user),
     db: Session = Depends(get_db),
@@ -507,6 +585,15 @@ def restart_bot(
 
     bot.status = "running"
     bot.pid = pid
+    write_audit_log(
+        db,
+        user,
+        "bot.restart",
+        target_type="bot",
+        target_id=bot_id,
+        target_name=bot.name,
+        ip=request.client.host if request.client else None,
+    )
     db.commit()
     db.refresh(bot)
     _write_log(bot_id, "Bot 已重启")
@@ -520,6 +607,7 @@ def restart_bot(
 @router.put("/{bot_id}/language")
 def set_bot_language(
     bot_id: int,
+    request: Request,
     body: dict,
     user: User = Depends(get_current_user),
     db: Session = Depends(get_db),
@@ -535,6 +623,17 @@ def set_bot_language(
     overrides = json.loads(bot.config_overrides or "{}")
     overrides["LANGUAGE"] = lang
     bot.config_overrides = json.dumps(overrides, ensure_ascii=False)
+
+    write_audit_log(
+        db,
+        user,
+        "bot.set_language",
+        target_type="bot",
+        target_id=bot_id,
+        target_name=bot.name,
+        detail={"language": lang},
+        ip=request.client.host if request.client else None,
+    )
     db.commit()
 
     # Hot-apply to running instance (no restart)
@@ -789,6 +888,7 @@ def _validate_device_state(state, cluster_configs, warnings, config):
 @router.put("/{bot_id}/state")
 def update_bot_state(
     bot_id: int,
+    request: Request,
     state: dict,
     user: User = Depends(require_admin),
     db: Session = Depends(get_db),
@@ -834,6 +934,17 @@ def update_bot_state(
     result = {"message": "State updated"}
     if warnings:
         result["warnings"] = warnings
+    write_audit_log(
+        db,
+        user,
+        "bot.edit_state",
+        target_type="bot",
+        target_id=bot_id,
+        target_name=bot.name,
+        detail={"warnings": warnings} if warnings else None,
+        ip=request.client.host if request.client else None,
+    )
+    db.commit()
     return result
 
 
@@ -885,6 +996,7 @@ def get_bot_logs(
 
 
 @router.post("/webhook/{bot_id}")
+@limiter.limit("120/minute")
 async def webhook(bot_id: int, request: Request, db: Session = Depends(get_db)):
     """
     IM callback endpoint.

{lockbot-2.3.2 → lockbot-2.4.0}/python/lockbot/backend/app/config.py

@@ -27,6 +27,10 @@ ENCRYPTION_KEY = os.environ.get("ENCRYPTION_KEY", "")
 # Activity monitoring
 INACTIVE_THRESHOLD_DAYS = 7
 
+# Rate limiting — Redis storage URI (optional, falls back to in-memory)
+# Example: redis://localhost:6379
+REDIS_URL = os.environ.get("REDIS_URL", "")
+
 # Feature flags
 ALLOW_REGISTER = os.environ.get("ALLOW_REGISTER", "false").lower() in ("true", "1", "yes")
 

{lockbot-2.3.2 → lockbot-2.4.0}/python/lockbot/backend/app/main.py

@@ -12,10 +12,12 @@ from fastapi.middleware.cors import CORSMiddleware
 from fastapi.staticfiles import StaticFiles
 
 # Import models to register them with Base.metadata
+import lockbot.backend.app.audit.models  # noqa: F401
 import lockbot.backend.app.auth.models  # noqa: F401
 import lockbot.backend.app.bots.models  # noqa: F401
 import lockbot.backend.app.settings.models  # noqa: F401
 from lockbot.backend.app.admin.router import router as admin_router
+from lockbot.backend.app.audit.router import router as audit_router
 from lockbot.backend.app.auth.router import router as auth_router
 from lockbot.backend.app.bots.router import router as bots_router
 from lockbot.backend.app.database import Base, SessionLocal, engine
@@ -106,6 +108,16 @@ def _migrate_users_token_version():
         logger.info("Migrated users: added 'token_version' column")
 
 
+def _migrate_audit_logs():
+    """Create audit_logs table if it doesn't exist (backward-compatible migration)."""
+    from sqlalchemy import inspect as sa_inspect
+
+    insp = sa_inspect(engine)
+    if "audit_logs" not in insp.get_table_names():
+        Base.metadata.tables["audit_logs"].create(bind=engine)
+        logger.info("Created audit_logs table")
+
+
 def _seed_dev_admin():
     """Create admin user in dev mode if it doesn't exist."""
     from lockbot.backend.app.config import (
@@ -189,6 +201,7 @@ async def lifespan(app: FastAPI):
     _migrate_users_must_change_password()
     _migrate_users_token_version()
     _migrate_bot_soft_delete()
+    _migrate_audit_logs()
     _seed_dev_admin()
     _seed_dev_users()
     _reset_running_bots()
@@ -258,12 +271,21 @@ def _reset_running_bots():
 def create_app() -> FastAPI:
     from importlib.metadata import version as _pkg_version
 
+    from slowapi import _rate_limit_exceeded_handler
+    from slowapi.errors import RateLimitExceeded
+
+    from lockbot.backend.app.rate_limit import limiter
+
     try:
         _ver = _pkg_version("lockbot")
     except Exception:
         _ver = "unknown"
     app = FastAPI(title="LockBot Platform", version=_ver, lifespan=lifespan)
 
+    # Rate limiting
+    app.state.limiter = limiter
+    app.add_exception_handler(RateLimitExceeded, _rate_limit_exceeded_handler)
+
     app.add_middleware(
         CORSMiddleware,
         allow_origins=["*"],
@@ -276,6 +298,7 @@ def create_app() -> FastAPI:
     app.include_router(bots_router)
     app.include_router(admin_router)
     app.include_router(settings_router)
+    app.include_router(audit_router)
 
     # Serve frontend static files (built by vite)
     # In Docker: /app/frontend/dist — locally: project_root/frontend/dist

lockbot-2.4.0/python/lockbot/backend/app/rate_limit.py

@@ -0,0 +1,20 @@
+"""
+Rate limiter singleton.
+
+Uses in-memory storage by default.  Set the REDIS_URL environment variable
+to automatically upgrade to Redis-backed storage for distributed deployments.
+
+Example:
+    REDIS_URL=redis://localhost:6379   → Redis storage
+    (unset)                            → in-memory storage
+"""
+
+from slowapi import Limiter
+from slowapi.util import get_remote_address
+
+from lockbot.backend.app.config import REDIS_URL
+
+limiter = Limiter(
+    key_func=get_remote_address,
+    storage_uri=REDIS_URL if REDIS_URL else "memory://",
+)

{lockbot-2.3.2 → lockbot-2.4.0/python/lockbot.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: lockbot
-Version: 2.3.2
+Version: 2.4.0
 Summary: Cluster resource management bot for IM platforms
 Author-email: Jianbang Yang <yangjianbang112@gmail.com>
 License: MIT
@@ -33,6 +33,7 @@ Requires-Dist: cryptography
 Requires-Dist: bcrypt
 Requires-Dist: python-multipart
 Requires-Dist: httpx
+Requires-Dist: slowapi
 Provides-Extra: dev
 Requires-Dist: pytest>=7.0; extra == "dev"
 Requires-Dist: ruff>=0.1.0; extra == "dev"

{lockbot-2.3.2 → lockbot-2.4.0}/python/lockbot.egg-info/SOURCES.txt

@@ -13,8 +13,13 @@ python/lockbot/backend/app/__init__.py
 python/lockbot/backend/app/config.py
 python/lockbot/backend/app/database.py
 python/lockbot/backend/app/main.py
+python/lockbot/backend/app/rate_limit.py
 python/lockbot/backend/app/admin/__init__.py
 python/lockbot/backend/app/admin/router.py
+python/lockbot/backend/app/audit/__init__.py
+python/lockbot/backend/app/audit/models.py
+python/lockbot/backend/app/audit/router.py
+python/lockbot/backend/app/audit/service.py
 python/lockbot/backend/app/auth/__init__.py
 python/lockbot/backend/app/auth/dependencies.py
 python/lockbot/backend/app/auth/models.py

{lockbot-2.3.2 → lockbot-2.4.0}/python/lockbot.egg-info/requires.txt

@@ -10,6 +10,7 @@ cryptography
 bcrypt
 python-multipart
 httpx
+slowapi
 
 [dev]
 pytest>=7.0